AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is building an ecommerce application and needs to store sensitive customer information. The company needs to give customers the ability to complete purchase transactions on the website. The company also needs to ensure that sensitive customer data is protected, even from database administrators.

Which solution meets these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Store sensitive data in an Amazon Elastic Block Store (Amazon EBS) volume. Use EBS encryption to encrypt the data. Use an IAM instance role to restrict access.

Store sensitive data in Amazon RDS for MySQL. Use AWS Key Management Service (AWS KMS) client-side encryption to encrypt the data.

Store sensitive data in Amazon S3. Use AWS Key Management Service (AWS KMS) server-side encryption to encrypt the data. Use S3 bucket policies to restrict access.

Store sensitive data in Amazon FSx for Windows Server. Mount the file share on application servers. Use Windows file permissions to restrict access.

Explanation:

Explanation

Correct Answer: B - Store sensitive data in Amazon RDS for MySQL. Use AWS Key Management Service (AWS KMS) client-side encryption to encrypt the data.

Why Option B is Correct:

Amazon RDS for MySQL is appropriate for storing structured customer data for an ecommerce application, as it provides a managed relational database service that can handle transactional data.
AWS KMS client-side encryption is crucial for protecting sensitive data "even from database administrators." With client-side encryption:
- Data is encrypted before it reaches the database
- The database administrator cannot access the plaintext data
- Only authorized applications with the proper encryption keys can decrypt the data
- This provides true separation of duties and protection against insider threats
RDS encryption at rest (which uses KMS) would not fully meet the requirement because database administrators could potentially access the data through database privileges. Client-side encryption ensures the data is encrypted before it reaches the database.

Why Other Options Are Incorrect:

A. Amazon EBS volume with EBS encryption:

EBS volumes are block storage, not ideal for structured customer data in an ecommerce application
EBS encryption protects data at rest, but database administrators could still access the data through the database
Not suitable for transactional web application data storage

C. Amazon S3 with KMS server-side encryption:

S3 is object storage, not ideal for transactional database operations
Server-side encryption doesn't protect against database administrators who have access to the database
S3 is better for static files, not for dynamic transactional data

D. Amazon FSx for Windows Server:

File storage solution, not suitable for structured customer data in an ecommerce application
Windows file permissions don't provide encryption protection
Database administrators could still access the data

Key Security Principles Applied:

Defense in Depth: Multiple layers of security (encryption + access controls)
Principle of Least Privilege: Database administrators shouldn't have access to sensitive customer data
Data Protection: Encryption at the application layer ensures data is protected throughout its lifecycle
Separation of Duties: Different teams manage encryption keys vs. database administration

This solution ensures that sensitive customer information (like credit card details, personal information) is protected even if database administrators have access to the database infrastructure, meeting the specific requirement stated in the question.

Powered ByGPT-5.2

Comments

Loading comments...